On 11/4/10 3:39 AM, Bart Schaefer wrote:
> On Wed, Nov 3, 2010 at 7:05 PM, Les Mikesell<lesmikesell@xxxxxxxxx> wrote:
>> You probably are forwarding packets to the other end of the vpn. Does whatever
>> is on the other end have a route back to your 192.168.144.x range through that
>> end of the vpn?
>
> Ah, that may indeed be the problem. I'm a bit rusty with this stuff.
> The CentOS box is doing IP forwarding, but that doesn't mean that it's
> actually acting as a NAT?
No, NAT is something you do in iptables, and if you have done it, the setup is
likely to be interface-specific.
> On the far end, 192.168.144.0/255 would
> just use the default route, which is to the gateway for the network to
> which the VPN is connected. There's no explicit route for my LAN
> range.
Quick check is a traceroute from the remote server to a 192.168.144.x address.
If it doesn't go into the tunnel interface you need to add a route for the range
via the remote tunnel ip.
>> Connections from the server itself will source from the tunnel
>> address, not the LAN.
>
> Well, yeah, that part I expected. I was presuming the return packets
> would go back to the tunnel address, which would send them to my
> server, which would then NAT them back to the original LAN source; but
> maybe that translation isn't happening where I thought it was.
No, you can NAT at the tun interface but then the connections only work in one
direction. Normally for LAN-LAN connections you want to maintain and route the
private ranges and only NAT at the internet gateways.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
